srptool: fix stack buffer overflow with large SRP groups

The static buffer result in _srp_crypt() was only 1024 bytes, while the
8192-bit SRP group code produces base64-encoded verifier of 1366
characters.

Using sprintf() with the old buffer caused a stack buffer overflow
(undefined behaviour) when --index=6 or --index=7 was used.

This commit:
- increases the static buffer size to 2048 bytes (sufficient for all
  currently supported groups),
- replaces sprintf() with snprintf() to prevent overflow even if the
  buffer were accidentally too small.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Fixes: #1777
Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>

diff --git a/src/srptool.c b/src/srptool.c
index a6206a1fbdb2bf59915b8efb19eb89457d323245..102912d30c9d73ccb7514399fcd6b24232243096 100644 (file)
--- a/src/srptool.c
+++ b/src/srptool.c
@@ -428,7 +428,7 @@ static char *_srp_crypt(const char *username, const char *passwd, int salt_size,
                        const gnutls_datum_t *g, const gnutls_datum_t *n)
 {
        unsigned char salt[128];
-       static char result[1024];
+       static char result[2048];
        gnutls_datum_t dat_salt, txt_salt;
        gnutls_datum_t verifier, txt_verifier;
 
@@ -465,7 +465,15 @@ static char *_srp_crypt(const char *username, const char *passwd, int salt_size,
                return NULL;
        }
 
-       sprintf(result, "%s:%s", txt_verifier.data, txt_salt.data);
+       if (snprintf(result, sizeof(result), "%s:%s", txt_verifier.data,
+                    txt_salt.data) >= sizeof(result)) {
+               fprintf(stderr,
+                       "Unexpectedly large SRP verifier - buffer too small\n");
+               free(txt_salt.data);
+               free(txt_verifier.data);
+               return NULL;
+       }
+
        free(txt_salt.data);
        free(txt_verifier.data);